A Need for Greater Cybersecurity
Report Urges CEOs to Safeguard Computer Networks From Attacks
By Jonathan Krim
Washington Post Staff Writer
Monday, April 12, 2004; Page A02
Chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said.
The group stopped short of urging legislation to require chief executives to certify their companies' cybersecurity measures, as they are now required to do for financial statements after numerous accounting scandals. But in a report to be released today, the group said that cybersecurity should be taken just as seriously by top management.
"The best way to strengthen U.S. information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs," the report said. For too long, the 37-member task force said, senior executives have ignored computer security or left it to their technology officers, who might not have the clout or inclination to make necessary changes.
More....
Security focus or not, can an unrepentant Microsoft be trusted?
ARS
Technica News Desk by Ken "Caesar" Fisher
Microsoft is working hard to make good on the promises making security job #1, and with Windows XP Service Pack 2 just a few months away we're all looking forward to this very important first step. But the Washington Post's Rob Pegoraro wonders if "no-regrets Microsoft" is really worthy of being trusted again. Questioning Ballmer on whether or not the company regrets its early no-holds-barred feature development pace, Ballmer essentially said "no."
"The browser wars were never about security, the browser wars were about features," Ballmer said, explaining why Microsoft added such items to Internet Explorer as ActiveX software to run Windows programs inside the browser. "I'm not saying that was right, with 20/20 hindsight; all I'm saying is the competitive marketplace took us all in a certain direction."
More....
Liability time bomb
You haven’t heard about big data-security lawsuits so far, but it’s just a matter of time
By Wayne Rash, Infoworld
April 09, 2004
"Accountability breeds caution," explains Washington attorney Andrew Greenwald. Greenwald, who specializes in professional negligence, liability, and personal injury cases in Washington and Maryland, says it’s only a matter of time before we start seeing significant awards to people and businesses who have had information released that was supposed to be kept private.
Greenwald also thinks that such
cases are necessary to produce accountability in the handling of
information that should be secure. The lack of accountability and
the lack of pain when security lapses happen are two reasons such
lapses keep happening.
They are also the reasons why CFOs
continue to see security as a cost to be trimmed as much as
possible. After all, why worry about keeping customer information
truly secure if there’s no downside if you don’t? This is
especially true because security costs money, and many such
executives would like to keep even necessary costs down, if only
to keep their bonuses flowing. More....
Security tool more harmful than helpful?
By Robert Lemos CNET
News.com April 8, 2004,
The common wisdom in the security world is that
easy-to-use scripts to circumvent security--called
"exploits"--are a threat to the Internet. The Metasploit
Project and its founder, HD Moore, hope to change that perception.
Get Up to Speed on... Enterprise security Get the latest
headlines and company-specific news in our expanded GUTS section.
On Wednesday, the project released an updated design framework
to the Metasploit tool, which allows security experts to check
computers on their networks and identify those vulnerable to newly
released flaws. The updated framework, known as Metasploit
Framework 2.0, enables people to create standardized plug-ins for
the tool so that they can legally hack into computers by
manipulating the latest security holes. The tool already has 18
exploits and 27 different possible payloads. Overall, the tool
could help administrators find and patch systems vulnerable to a
new flaw, thereby blocking a would-be intruder from breaching a
company's network security, according to Moore. "This is a
good research tool," Moore said, noting that some 30 percent
of Metasploit beta testers are security consultants who seek to
plug holes in their clients' networks. More....
Another Cisco router/switch vulnerability reported
By Phil Hochmuth
Network World
Fusion, 04/09/04
Cisco this week warned users that a flaw in the VPN blade for its Catalyst 6500 switch could be used by net attackers to crash the device.
Cisco Catalyst 6500 switches and Cisco 7600 series routers running the IPSec-based VPN Services Module
(VPNSM) could be brought down if specially crafted Internet Key Exchange (IKE) packets are sent to the module. Cisco says the vulnerability could be used to launch a denial-of-service attack against the affected devices.
Only Catalyst 6500 switches and Cisco 7600 routers with the VPNSM and running IOS versions 12.2SXA, 12.2SXB and 12.2SY are susceptible to the vulnerability, according to Cisco.
The Cisco VPNSM is a module that fits into Cisco switch and router chassis and acts as integrated VPN termination points for remote access and site-to-site VPN setups.
More....
Human Error Tops List of Vulnerabilities
by Mathew Schwartz, Enterprise
Systems Security
Only half of respondents in a new survey say their company has a written security policy. Furthermore, despite the increases in threats, many organizations have been slow to make the appropriate investments in time and budget to properly address them.
Today viruses, worms, and software vulnerabilities get the ink, but there’s often another factor to blame: human error. That’s according to the second annual “Analysis of IT Security and the Workforce” survey from the Computing Technology Industry Association
(CompTIA).
Almost 900 organizations from 17 countries responded to the survey, reporting on security goings-on in their organization for the last six months of 2003.
A major finding is that respondents label human error as the leading cause—for about half of all incidents—of security breaches. A combination of human error and technical malfunction was second, at 37 percent.
More....
Windows to remain security risk for years to come
News Story by Matthew Broersma, Computerworld
APRIL 07, 2004 (TECHWORLD.COM) - LONDON -- Microsoft Corp.'s efforts to limit the ongoing damage from worms such as Blaster will not pay off for several years, according to security experts. New Windows PCs will begin shipping with security switched on by default for the first time, with the release of Windows XP Service Pack 2 this summer, but it will take five or six years before such basic protections are common on the installed base of PCs, according to a Symantec Corp. executive.
Such unprotected PCs are increasingly being used to spread worms such as Blaster and junk e-mail, usually without the PC owner's knowledge; a recent Symantec survey found that a system will, on average, receive a Blaster-generated packet of data within one second of connecting to the Internet.
More....
Apple responds to trojan horse warning
News Story by Jim Dalrymple
APRIL 10, 2004 (MACCENTRAL) - Apple Computer Inc. responded yesterday to an advisory issued by security software-maker Intego on Thursday (see story). Apple said it is aware of the issue outlined by Intego and is investigating. While one security analyst doesn't feel this is a big deal, he does note that this incident gives absolute proof of the vulnerability.
"We are aware of the potential issue identified by Intego and are working proactively to investigate it," said Apple in a statement. "While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."
In the advisory Thursday, Intego said a Trojan horse called MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files, according to the company.
The release of the Trojan Horse, which has been classified by some as more of a proof-of-concept than a real Trojan Horse, may be the result of Apple's own success in marketing its operating system. As Mac OS X becomes more popular in the market, virus writers will receive more notoriety for exposing vulnerabilities.
More....
Expert releases Cisco wireless hacking tool
The hacking tool targets networks using the LEAP wireless authentication protocol
News Story by Paul Roberts, Computerworld
APRIL 08, 2004 (IDG NEWS SERVICE) - One day after it disclosed a security vulnerability in a wireless networking product (see story), Cisco Systems Inc. must contend with a new threat -- the long-promised release of a hacking tool that targets wireless networks running its LEAP wireless authentication protocol. The tool, called
Asleap, allows users to scan the wireless network broadcast spectrum for networks using LEAP (Lightweight Extensible Authentication Protocol), capture wireless network traffic and crack user passwords, according to a message posted to the Bugtraq online security discussion group yesterday.
Cisco didn't immediately respond to requests for comment.
The tool was designed to compromise WLANs using LEAP with so-called dictionary attacks that exploit weakly protected passwords, according to the message, which purports to be from Joshua Wright, a network engineer at Johnson & Wales University in Providence, R.I. Wright made headlines last year after he publicized the password vulnerability in LEAP (see story).
More....
Vulnerabilities
